Mobile Devices Bring Cloud Storage -- and Security Risks -- to Work
Dropbox made headlines this week when Gawker.com was the first to report that an unnamed hacker broke into Mitt Romney's hotmail account with the same password used for a Dropbox account also associated with the GOP presidential candidate.
That followed on the heels of a decision last month by IBM to rollout a bring-your-own-device (BYOD) policy that bans the use of Dropbox.
IBM CIO Jeanette Horan initiated the policy because she's concerned that that the SaaS service could lead to the exposure of confidential corporate information, according to MIT's Technology Review magazine. (A survey by IBM of its employees found they were violating company rules by automatically forwarding internal e-mail to public Web mail services and using their smartphones as open Wi-Fi hotspots, opening corporate data to outside purview.)
Whether its Romney's email and Dropbox account or IBM's 400,000 employees, the risks associated with BYOD and cloud storage services highlight a problem IT shops now face: The potential loss of corporate data to an insecure public cloud. And it's not just Droxbox. There's a growing number of online consumer cloud services through which data can leak, including Box.net, Carbonite, Google Drive, Mozy, SugarSync, YouSendIt and Apple's iCloud.
"IBM has the world's BYOD program and they just locked down Evernote and Dropbox because they discovered their future product plans and all sorts of really sensitive data was being beamed automatically out to these services," said Dion Hinchcliffe, executive vice president of strategy at Dachis Group, a consultancy. "So they blocked all access to cloud storage applications."
Hinchcliffe said the use of mobile applications is a huge problem in enterprises, but companies have only begun to address the issue. He suggested that every company have a "bus stop" policy: If an employee wouldn't be comfortable leaving company information at a bus stop, they shouldn't be willing to store it in un unsanctioned public cloud.
While many enterprises now have a BYOD policy, they typically do not address the applications that come with mobile devices.
The concern about using public cloud services revolves around the fact that those service providers are becoming a favorite target of data thieves, just as robbers target banks.
"These cloud data centers are becoming high-value targets," Hinchliffe said. "You have to remember, 90 percent of all data break-ins are caused by someone inside the company with the keys to the castle -- a systems administrator that's being paid to tap a customer list or download customers' credit card information. So there's a lot of temptation in these data centers ... for people who are likely to supplement their incomes and will be tempted to offers.
"You can access not just one company's data but credit card files from hundreds of companies," he said.
Dave Malcom, chief information security officer of Hyatt Hotels, said he's keenly aware that employees use consumer-grade cloud storage services with their mobile devices -- and it's an issue he's already addressing.
He said, for instance, that employees often use the same passwords for multiple systems, including their own devices and web services. That means if an online cloud storage service is hacked, Hyatt's email system could well be at risk, too.
The hotel chain is now surveying employee workstations to find out whether cloud storage apps such as Dropbox have been downloaded and what kind of information is being stored.
"Obviously, that means there's probably a corresponding machine they're placing documents on that we don't own," Malcom said. "We're starting to try to get in front of it. Then we're trying to provide them with a corporately blessed service.
"Obviously, it becomes a lot more challenging with devices we don't own," he added.
Cloud content sharing service SkyDox released a survey on Thursday that shows more than half of all employees leave their IT departments in the dark about the free file-sharing platforms they use to upload corporate documents. The survey of more than 4000 employees was conducted from April 16-30, and it showed that 77 percent of employees require access to work documents outside of their office - especially those who work in financial services (89 percent), professional services (96 percent) and healthcare (70 percent).
To enable that access, 66 percent of employees are using a free file-sharing platform to store or share corporate documents. That percentage is spiking to 87 percent for those in professional services and 84 percent for those in financial services.
Of those using file-sharing platforms, 55 percent do not notify their IT department of the file-sharing platforms they use. For some workers, that number is greater. For instance, 71 percent of employees in sales withhold information from IT, compared to 5 percent of respondents who work in financial positions.
The survey also revealed that 80 percent of respondents use their own mobile devices for work. Those who work in professional services (92 percent), financial services (86 percent) and healthcare (84 percent) are most likely to embrace BYOD habits, with creative services (60 percent) and government sectors (39 percent) lagging.
A major reason employees use consumer services to store business data is because there's no alternative offered by the company.
"You can use mobile device management platforms to help lock these applications down," Malcom said. "The other thing is, and this is more effective, [give] employees the applications you've blessed to do that. Some organizations are aggressive at rolling out Box.net so people don't use EverNotes and Dropbox, which are considered less secure."
When it comes to bringing your own devices to work, Hyatt Hotels has strict policies. For example, the company requires all employees to register mobile devices and it makes no bones about the fact that it will remotely wipe all data on any device that is lost or stolen. And, no confidential data can be stored outside of the corporate firewall.
Of course, if the data is being backed up onto a cloud service, that will require new policies and technology, he said.
"We're not naive enough to believe policy alone is the answer, and we don't need technology behind us to help enforce these policies," he said. "We want our employees to do the right things and hope they do the right things, but we know there may be times that they don't have the tools."
Malcom hopes to push employees toward using corporately owned Sharepoint for content sharing, but he also realizes it's not the most user-friendly utility to use on an iPad.
"So something like Dropbox that's totally easy and consumer friendly, they're going to gravitate toward that," he said. "If we can find someone like a Box.net that we can enter into an enterprise agreement with and help reduce some liability and get some contractual terms in place, that's what we'd like to offer to our user community."
Malcom believes the time for single-word passwords is over. He's hoping to create a policy where employees will use pass phrases, sentences that are easy to remember, so that his company will not have to require password updates as often.
"So instead of changing it every 90 days, maybe we move to six months or every year," he said. "Ultimately, I'd like to get to biometrics or RFID proximity cards where you just have a four-digit pin along with your card or your fingerprint in order to get onto our systems."
Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian or subscribe to Lucas's RSS feed. His e-mail address is email@example.com.
Read more about cloud computing in Computerworld's Cloud Computing Topic Center.